Forum Discussion
Microsoft App Access Panel requires MFA but we didn't enable it
Hi. Recently we've received a report from a user that he was asked to perform MFA when he was signing in. After checking the sign-in logs, we've found that it was an application called "Microsoft App...
This behavior is by design as the MFA requirement is enforced by the Microsoft App Access Panel application itself regardless of any CA policy applying or not:
- The "Microsoft App Access Panel" application is part of the suite of apps that represent the Security Info section of Azure AD where users can manage their Azure MFA and SSPR verification methods.
- During a sign-in attempt to the Security Info section the user is prompted for Azure MFA by the "Microsoft App Access Panel" application itself via the request parameters sent by the application.
- The above behavior is entirely by design and expected for users who already have an Azure MFA method registered when accessing the Security info section. This is due to security concerns as we want to make sure that the legitimate user is the one attempting to connect to the Security Info section and for this reason, we ask the user to first perform Azure MFA based on the existing MFA method before allowing them access to manage the security info (like Azure MFA methods or SSPR methods).
- Imagine allowing a bad actor who has compromised the user's first-factor credentials (username and password) to access the Security Info section and register their own MFA methods instead of the user.
This is a nice explanation, but unfortunately Microsoft App Access Panel is showing up in the workflow to register MFA for the first time.